Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Tuesday, July 5, 2016

Why Upgrade DirSync To Azure AD Connect

I've worked with several clients recently that are still using older versions of the Microsoft Active Directory synchronization tool, affectionately named DirSync, and have not yet upgraded to the latest version which is now called Azure AD Connect. Integrating your on-premises directory with Azure AD makes your users more productive by providing a common identity for accessing multiple resources. Managing the synchronization process in a well planned, robust and automated way helps to ensure that users can reliably access both on premise and cloud environments in Office 365.

Short Product History

DirSync was a free tool from Microsoft originally released in 2012/2013 which synchronizes Active Directory objects like user accounts and groups from an on premise Active Directory forest to an instance of Azure Active Directory. That Azure Active Directory instance can reside in Office 365.

DirSync allowed organizations that wanted to move internally hosted services to Office 365 to still manage their user accounts within an on premise AD forest if they wished. This simplified the migration process to Office 365. It was also a required base technology component if you wanted to deploy services in a hybrid configuration with Office 365 - for example, if you wanted to use a SharePoint farm on premise and SharePoint Online in Office 365, and have those environments work together.

DirSync received a major update in Oct 2014, which most notably removed the need for the FIM infrastructure, and was renamed to Azure AD Sync (AAD Sync). At that time, both DirSync and Azure AD Sync continued to be supported because AAD Sync did not include all capabilities of DirSync.

In Jun 2015, another major update was publicly released and the product was once again renamed to its current form: Azure AD Connect 1.0. AD Connect combines all capabilities of both DirSync and AAD Sync into one product. At this time, DirSync and AD Sync are deprecated and all future fixes/enhancements are being implemented in AD Connect. In February 2016, AD Connect version 1.1 was released with more major new enhancements. When installing version 1.1, ensure that you install Azure AD Connect version 1.1.110.0 from February 26, 2016 or later, which can be downloaded here: Azure AD Connect Download.

DirSync & Azure AD Sync Deprecated & Support Ends April 2017

We already know that all new investment has been placed in Azure AD Connect, and no new updates are being released for DirSync or AAD Sync. However, on April 13, 2016 Microsoft announced that both DirSync and Azure AD Sync are now deprecated. As well, Microsoft will officially end support on April 13, 2017 - here is the Official Announcement.

This alone is one major reason to upgrade to Azure AD Connect.

Reasons to Upgrade to Azure AD Connect

If you're looking for more specific reasons to upgrade to Azure AD Connect from the original DirSync, here are those which I feel are most notable:

Replacement of FIM - The underlying FIM (ForeFront Identity Manager) infrastructure has been completely removed and replaced with its own dedicated infrastructure, allowing for much more customization and control over the synchronization process. In the past, we had ways to manipulate the sync process, but they would not have necessarily been supported by Microsoft. The control and flexibility we now have is fully supported by Microsoft.

Automatic Upgrades - The upgrade process to AD Connect from previous versions, including DirSync and AAD Sync, is very simple, You simply run the installation wizard for AD Connect on the server in which you are already running any previous version (DirSync, AAD Sync or even a old versions of AD Connect) and the wizard seamlessly upgrades to the latest version of AD Connect.

More Frequent Synchronization - The default scheduling frequency has been modified from occurring every 3 hours to every 30 minutes. This is a huge change which allows changes in user accounts in your on premise AD to get to Azure AD and Office 365 much faster.

Built-In Scheduler - AD Connect now has its own built in Scheduler for controlling the timing of the synchronization process. Previous versions used a scheduled task in Windows Task Scheduler, and having its own built in scheduler means that you have greater and supported control over the timing and frequency of the synchronization process.

Manual Synchronization via PowerShell - You can manually start a full synchronization process using the PowerShell cmdlet: Start-ADSyncSyncCycle -PolicyType Initial. If you wish to only synchronize changes, you can modify that slightly and use Start-ADSyncSyncCycle -PolicyType Delta. This is useful when you have a multi-forest environment which can take a very long time to sync, depending on the number of objects.

Robust PowerShell Support - The product now has robust PowerShell support for a whole suite of commands including starting sync, stopping sync and even configuring the scheduler. You can even check the status of the current sync which is in progress by using the cmdlet: Get-ADSyncConnectorRunStatus. You can see a full list of commands supported here: Azure AD Connect Documentation and Azure AD Connect Scheduler.

Multi-Factor Authentication for the Global Admin Account - You can now use Azure multi-factor authentication (MFA) when first configuring the AD Connect installation and when doing its first synchronization with Azure AD. This is new in version 1.1.

Domain and OU Filtering - You may now select specific domains or organization units (OUs) to synchronize in the AD Connect configuration wizard. Although it was previously possible to do this in Azure AD Connect by manipulating the sync services console, this is now much easier to configure and manage. This feature allows you to more easily focus the synchronization process on only specific domains or specific OUs in your organization, thereby simplifying the overall and ongoing management of the process.

AD Attribute Filtering - We are able to filter users for the synchronization process based on AD attributes.

Change the User's Sign In Method (even after first sync) - In previous versions, if a user's sign in method changed you needed to delete the synchronization configuration and reinstall it. It is now possible to change a user's sign in method after first configuration and first sync, simply by running Azure AD Connect configuration wizard again.

Staging Mode - You can deploy a 2nd AD Connect server in the AD Forest in "Staging Mode". This allows the server to be on standby, should the main synchronization server become unavailable. Switching the Standby Mode AD Connect server to full active mode is still a manual process.

Azure AD Connect Health for Sync - This new component is installed with AD Connect and allows you to automatically monitor the health of your AD synchronization process. It will automatically send alerts email notifications related to the health of the environment, when critical events occur. It will also provide insights into the latency of the sync process, or trends related to user adds, updates and deletes. More information is available on this component here and here.

Some of these features came with the upgrade to AAD Sync, but many were only recently provided in AD Connect 1.1. The release history of Azure AD Connect can be found here: Azure AD Connect Release History.

We have seen major updates to DirSync over the last several years which provide a lot of value to our environments by making it much easier to manage the synchronization process for on premise user identities to Azure AD and Office 365. Due to these great new capabilities and the fact that support officially ends April 13 2017 for both DirSync and Azure AD Sync, the upgrade to Azure AD Connect is highly recommended and necessary.

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.